On his recent FAIR Institute Cyber Risk Workgroup Call (membership required), FAIR model creator Jack Jones fielded this question: If you had to judge an organization in terms of how well it manages risk using just one metric, what one metric would you use?
Jack had an answer--but to get there, he led the group through a discussion that seriously questioned how most organizations understand, measure, and tell themselves stories about risk.
As Jack sees it, “most organizations are living in risk management 'Groundhog Day'", their version of the 1993 movie in which Bill Murray has to relive the same day till he gets it right. Risk managers see the same problems recur even after they "fixed" them.
"They fix the symptoms and rarely get to the root cause," Jack says. And the root cause lies in people and processes, not controls or standards compliance.
But what kind of metric would measure root causes and give risk managers actionable direction on breaking out of Groundhog Day? Listen to the Workgroup Call to find out. And study this mind map to diagnosing root causes in cyber risk (sample below). Careful, it's also the floor plan to a groundhog's burrow.
Coming soon: Jack takes the discussion deeper in Part 2 of "Is There One Best Risk Metric?"
Image: Part of the Root Cause Analysis Mindmap